Difference between revisions of "LII:HIPAA Compliance - LII 007 03. What Data Are Protected & General Privacy Principle"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
===PHI per Privacy Rule===
===PHI per Privacy Rule===
[[File:PHI.png|left|300 px]]
[[File:PHI.png|left|200 px]]
At the center of all of [[HIPAA]] and [[HITECH]] is a single term and its definition: '''PHI'''. PHI is '''Protected Health Information'''. This is the information that can be linked to a patient and has been identified by the US government as being private to a patient, and as such is protected by both the Privacy Rule and Security Rule of HIPAA, as well as HITECH (for electronic PHI) so that unauthorized sharing is prevented or at least minimized, and access is controlled, with significant sanctions and measures available to be applied in the even of breaches.
At the center of all of [[HIPAA]] and [[HITECH]] is a single term and its definition: '''PHI'''. PHI is '''Protected Health Information'''. This is the information that can be linked to a patient and has been identified by the US government as being private to a patient, and as such is protected by both the Privacy Rule and Security Rule of HIPAA, as well as HITECH (for electronic PHI) so that unauthorized sharing is prevented or at least minimized, and access is controlled, with significant sanctions and measures available to be applied in the even of breaches.



Revision as of 12:11, 9 June 2016

PHI per Privacy Rule

At the center of all of HIPAA and HITECH is a single term and its definition: PHI. PHI is Protected Health Information. This is the information that can be linked to a patient and has been identified by the US government as being private to a patient, and as such is protected by both the Privacy Rule and Security Rule of HIPAA, as well as HITECH (for electronic PHI) so that unauthorized sharing is prevented or at least minimized, and access is controlled, with significant sanctions and measures available to be applied in the even of breaches.

HIPAA lists 18 identifiers that qualify as PHI, and as such must be kept secure and private, in the ways that are set down in HIPAA and HITECH. These identifiers are:

  1. Names
  2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  4. Phone numbers
  5. Fax numbers
  6. Electronic mail (email) addresses
  7. Social Security numbers
  8. Medical record numbers (MRNs)
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

There are also additional standards and criteria to protect individual's privacy from re-identification. Any code used to replace the identifiers in data sets cannot be derived from any information related to the individual and the master codes, nor can the method to derive the codes be disclosed. For example, a subject's initials cannot be used to code their data because the initials are derived from their name. Additionally, the researcher must not have actual knowledge that the research subject could be re-identified from the remaining identifiers in the PHI used in the research study. In other words, the information would still be considered identifiable is there was a way to identify the individual even though all of the 18 identifiers were removed.

  • b. De-Identified HI
  • c. Privacy Rule: General Principle – Use/Disclosure